Matt Kettler wrote:
Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
STATISTICS-set0.txt:OVERALL SPAM% HAM% S/O RANK SCORE
NAME
STATISTICS-set0.txt: 0.395 0.3920 0.4001 0.495 0.42 0.10
NORMAL_HTTP_TO_IP
Note the S/O of 0.42 means that 42% of matches to this rule were spam,
and 58% were nonspam.
Ah - pity. StormBot is currently sending out tonnes of emails that
contain a link to ip-based webservers (the infected hosts no doubt)
which have trojans. The emails are <1K in size and in fact contain just
a single line. e.g
For You....My Love http://ip.address/
Perhaps a rule to score up NORMAL_HTTP_TO_IP if seen in conjunction with small message size could catch it. Casting
my mind back, I'm sure I've seen this sort of behaviour before with older trojan mail runs - could be a winner?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
